tkhater
2004-07-19, 03:24 AM CDT
I am about to have a cranial meltdown. I am trying to use the built-in ipsec of FC2 to connect 2 networks together. I have been horribly unsuccessful
Some background: I am not a computer professional, but I have managed to set up a few Linux computers in the past. Currently (as far as this project is concerned), I have 2 Fedora Core 2 servers running each as:
1) DNS Servers (internal and external for their associated domain names)
2) FTP Servers
3) HTTP Servers
4) Mail servers
5) Firewall/Gateways (with appropriate routing to an internal Windows Terminal Services Server)
6) DHCPD Servers (internal)
7) NTP Servers (internal)
8) Caching transparent proxy servers (internal)
9) Samba Servers with hylafax fax server support
10) SSH Servers (OK yeah big deal)
11) Mirrored 120Gig drives
One is like this:
10.1.0.X/24 (internal network) -> eth0 (10.1.0.252) -> Fedora Core 2 -> eth 1 (64.XXX.YYY.218) -> DSL Modem to internet through ISP (Gateway 64.XXX.YYY.1)
And the other is like this:
10.1.1.X/24 (internal network) -> eth0 (10.1.0.252) -> Fedora Core 2 -> eth 1 (64.XXX.YYY.208) -> DSL Modem to internet through ISP (Gateway 64.XXX.YYY.1)
All of everything above seems to work well, without significant glitches (I think).
Now, I would like to create an IPSEC tunnel between the 2 computers so clients on either network can see clients on the other network securely through the internet.
I have tried FreeSwan, OpenSwan, and the Linux 2.6 kernel internal ipsec stuff. The furthest I got was with the 2.6 kernel stuff, but I can’t seem to get my packets routed from the receiving gateway computer eth1 to the internal network eth0. (I can see them coming across the internet with tcpdump on eth1, but they stop at the destination gateway computer and don't go on to eth0) I am sure it is either a routing issue or a firewall issue, but well, I can’t figure it out.
Here is the ifconfig data:
[root@ttklinux:/etc/hls] ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:F1:B6:A3:7B
inet addr:10.1.0.252 Bcast:10.1.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:f1ff:feb6:a37b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24228 errors:0 dropped:0 overruns:0 frame:0
TX packets:24005 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3319702 (3.1 Mb) TX bytes:13355667 (12.7 Mb)
Base address:0xdcc0 Memory:fe9e0000-fea00000
eth1 Link encap:Ethernet HWaddr 00:03:6D:1B:8B:BB
inet addr:64.XXX.YYY.218 Bcast:64.XXX.YYY.255 Mask:255.255.255.0
inet6 addr: fe80::203:6dff:fe1b:8bbb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16215 errors:0 dropped:0 overruns:0 frame:0
TX packets:16141 errors:0 dropped:0 overruns:0 carrier:0
collisions:127 txqueuelen:1000
RX bytes:9140886 (8.7 Mb) TX bytes:2600920 (2.4 Mb)
Interrupt:10 Base address:0xec00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5555 errors:0 dropped:0 overruns:0 frame:0
TX packets:5555 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5081087 (4.8 Mb) TX bytes:5081087 (4.8 Mb)
[root@ttklinux:/etc/hls] route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
64.XXX.YYY.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.1.0 10.1.0.252 255.255.255.0 UG 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 64.XXX.YYY.1 0.0.0.0 UG 0 0 0 eth1
[root@ttklinux:/etc/hls] iptables-save
# Generated by iptables-save v1.2.9 on Sun Jul 18 16:15:44 2004
*mangle
:PREROUTING ACCEPT [979:288098]
:INPUT ACCEPT [208:17104]
:FORWARD ACCEPT [748:269062]
:OUTPUT ACCEPT [154:15865]
:POSTROUTING ACCEPT [902:287051]
-A PREROUTING -i eth1 -p esp -j MARK --set-mark 0x1
COMMIT
# Completed on Sun Jul 18 16:15:44 2004
# Generated by iptables-save v1.2.9 on Sun Jul 18 16:15:44 2004
*filter
:INPUT ACCEPT [160:9160]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [150:15109]
:accept-n-log - [0:0]
:drop-n-log - [0:0]
-A INPUT -i eth1 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -i eth1 -p esp -j ACCEPT
-A INPUT -i eth1 -p ah -j ACCEPT
-A FORWARD -d 10.1.0.0/255.255.255.0 -i eth1 -m mark --mark 0x1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth1 -p esp -j ACCEPT
-A OUTPUT -o eth1 -p ah -j ACCEPT
-A accept-n-log -j LOG --log-prefix "accept-n-log:"
-A accept-n-log -j ACCEPT
-A drop-n-log -j LOG --log-prefix "drop-n-log:"
-A drop-n-log -j DROP
COMMIT
# Completed on Sun Jul 18 16:15:44 2004
# Generated by iptables-save v1.2.9 on Sun Jul 18 16:15:44 2004
*nat
:PREROUTING ACCEPT [49:3619]
:POSTROUTING ACCEPT [6:678]
:OUTPUT ACCEPT [5:434]
-A POSTROUTING -s 10.1.0.0/255.255.255.0 -d ! 10.1.0.0/255.255.255.0 -o eth1 -p ! esp -j SNAT --to-source 64.XXX.YYY.218
COMMIT
# Completed on Sun Jul 18 16:15:44 2004
Any help at all would be greatly appreciated. I have a small budget available to get this working.
Some background: I am not a computer professional, but I have managed to set up a few Linux computers in the past. Currently (as far as this project is concerned), I have 2 Fedora Core 2 servers running each as:
1) DNS Servers (internal and external for their associated domain names)
2) FTP Servers
3) HTTP Servers
4) Mail servers
5) Firewall/Gateways (with appropriate routing to an internal Windows Terminal Services Server)
6) DHCPD Servers (internal)
7) NTP Servers (internal)
8) Caching transparent proxy servers (internal)
9) Samba Servers with hylafax fax server support
10) SSH Servers (OK yeah big deal)
11) Mirrored 120Gig drives
One is like this:
10.1.0.X/24 (internal network) -> eth0 (10.1.0.252) -> Fedora Core 2 -> eth 1 (64.XXX.YYY.218) -> DSL Modem to internet through ISP (Gateway 64.XXX.YYY.1)
And the other is like this:
10.1.1.X/24 (internal network) -> eth0 (10.1.0.252) -> Fedora Core 2 -> eth 1 (64.XXX.YYY.208) -> DSL Modem to internet through ISP (Gateway 64.XXX.YYY.1)
All of everything above seems to work well, without significant glitches (I think).
Now, I would like to create an IPSEC tunnel between the 2 computers so clients on either network can see clients on the other network securely through the internet.
I have tried FreeSwan, OpenSwan, and the Linux 2.6 kernel internal ipsec stuff. The furthest I got was with the 2.6 kernel stuff, but I can’t seem to get my packets routed from the receiving gateway computer eth1 to the internal network eth0. (I can see them coming across the internet with tcpdump on eth1, but they stop at the destination gateway computer and don't go on to eth0) I am sure it is either a routing issue or a firewall issue, but well, I can’t figure it out.
Here is the ifconfig data:
[root@ttklinux:/etc/hls] ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:F1:B6:A3:7B
inet addr:10.1.0.252 Bcast:10.1.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:f1ff:feb6:a37b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24228 errors:0 dropped:0 overruns:0 frame:0
TX packets:24005 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3319702 (3.1 Mb) TX bytes:13355667 (12.7 Mb)
Base address:0xdcc0 Memory:fe9e0000-fea00000
eth1 Link encap:Ethernet HWaddr 00:03:6D:1B:8B:BB
inet addr:64.XXX.YYY.218 Bcast:64.XXX.YYY.255 Mask:255.255.255.0
inet6 addr: fe80::203:6dff:fe1b:8bbb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16215 errors:0 dropped:0 overruns:0 frame:0
TX packets:16141 errors:0 dropped:0 overruns:0 carrier:0
collisions:127 txqueuelen:1000
RX bytes:9140886 (8.7 Mb) TX bytes:2600920 (2.4 Mb)
Interrupt:10 Base address:0xec00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5555 errors:0 dropped:0 overruns:0 frame:0
TX packets:5555 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5081087 (4.8 Mb) TX bytes:5081087 (4.8 Mb)
[root@ttklinux:/etc/hls] route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
64.XXX.YYY.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.1.0 10.1.0.252 255.255.255.0 UG 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 64.XXX.YYY.1 0.0.0.0 UG 0 0 0 eth1
[root@ttklinux:/etc/hls] iptables-save
# Generated by iptables-save v1.2.9 on Sun Jul 18 16:15:44 2004
*mangle
:PREROUTING ACCEPT [979:288098]
:INPUT ACCEPT [208:17104]
:FORWARD ACCEPT [748:269062]
:OUTPUT ACCEPT [154:15865]
:POSTROUTING ACCEPT [902:287051]
-A PREROUTING -i eth1 -p esp -j MARK --set-mark 0x1
COMMIT
# Completed on Sun Jul 18 16:15:44 2004
# Generated by iptables-save v1.2.9 on Sun Jul 18 16:15:44 2004
*filter
:INPUT ACCEPT [160:9160]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [150:15109]
:accept-n-log - [0:0]
:drop-n-log - [0:0]
-A INPUT -i eth1 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -i eth1 -p esp -j ACCEPT
-A INPUT -i eth1 -p ah -j ACCEPT
-A FORWARD -d 10.1.0.0/255.255.255.0 -i eth1 -m mark --mark 0x1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth1 -p esp -j ACCEPT
-A OUTPUT -o eth1 -p ah -j ACCEPT
-A accept-n-log -j LOG --log-prefix "accept-n-log:"
-A accept-n-log -j ACCEPT
-A drop-n-log -j LOG --log-prefix "drop-n-log:"
-A drop-n-log -j DROP
COMMIT
# Completed on Sun Jul 18 16:15:44 2004
# Generated by iptables-save v1.2.9 on Sun Jul 18 16:15:44 2004
*nat
:PREROUTING ACCEPT [49:3619]
:POSTROUTING ACCEPT [6:678]
:OUTPUT ACCEPT [5:434]
-A POSTROUTING -s 10.1.0.0/255.255.255.0 -d ! 10.1.0.0/255.255.255.0 -o eth1 -p ! esp -j SNAT --to-source 64.XXX.YYY.218
COMMIT
# Completed on Sun Jul 18 16:15:44 2004
Any help at all would be greatly appreciated. I have a small budget available to get this working.